WP-Safety
CVE-2026-3649

Katalogportal-pdf-sync Widget <= 1.0.0 - Missing Authorization to Authenticated (Subscriber+) Information Disclosure via 'katalogportal_shortcodePrinter' AJAX Action

mediumMissing Authorization
5.3
CVSS Score
5.3
CVSS Score
medium
Severity
Unpatched
Patched in
N/A
Time to patch

Description

The Katalogportal PDF Sync plugin for WordPress is vulnerable to Missing Authorization in all versions up to and including 1.0.0. The katalogportal_popup_shortcode() function is registered as an AJAX handler via wp_ajax_katalogportal_shortcodePrinter but lacks any capability check (current_user_can()) or nonce verification. This allows any authenticated user, including Subscribers, to call the endpoint and retrieve a list of all synchronized PDF attachments (including those attached to private or draft posts) along with their titles, actual filenames, and the katalogportal_userid configuration value. The WP_Query uses post_status => 'any' which returns attachments regardless of the parent post's visibility status.

CVSS Vector Breakdown

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:L/I:N/A:N
Attack Vector
Network
Attack Complexity
Low
Privileges Required
None
User Interaction
None
Scope
Unchanged
Low
Confidentiality
None
Integrity
None
Availability

Technical Details

Affected versions<=1.0.0
PublishedApril 14, 2026
Last updatedApril 15, 2026
Affected pluginkatalogportal-pdf-sync
Research Plan
Unverified

# Exploitation Research Plan: CVE-2026-3649 (Katalogportal-pdf-sync Widget) ## 1. Vulnerability Summary The **Katalogportal-pdf-sync Widget** plugin (<= 1.0.0) contains an information disclosure vulnerability in its AJAX handling logic. The function `katalogportal_popup_shortcode()` is registered a…

Show full research plan

Exploitation Research Plan: CVE-2026-3649 (Katalogportal-pdf-sync Widget)

1. Vulnerability Summary

The Katalogportal-pdf-sync Widget plugin (<= 1.0.0) contains an information disclosure vulnerability in its AJAX handling logic. The function katalogportal_popup_shortcode() is registered as an AJAX handler via the wp_ajax_katalogportal_shortcodePrinter hook. This function fails to implement any authorization checks (e.g., current_user_can()) or CSRF protection (nonces).

Furthermore, the function utilizes WP_Query with the parameter 'post_status' => 'any', which causes it to retrieve and return metadata for all PDF attachments synchronized with the system, including those associated with Private or Draft posts that should not be visible to low-privileged users.

2. Attack Vector Analysis

  • Endpoint: /wp-admin/admin-ajax.php
  • Action: katalogportal_shortcodePrinter
  • Method: POST or GET (WordPress AJAX handlers typically support both, but POST is standard).
  • Authentication: Required (Subscriber or higher). The wp_ajax_ prefix (without a corresponding wp_ajax_nopriv_) limits this to logged-in users.
  • Payload Parameters:
    • action: katalogportal_shortcodePrinter
  • Vulnerable Component: katalogportal_popup_shortcode() function.

3. Code Flow

  1. Entry Point: A request is sent to admin-ajax.php with action=katalogportal_shortcodePrinter.
  2. Hook Execution: WordPress triggers the hook do_action( 'wp_ajax_katalogportal_shortcodePrinter' ).
  3. Handler Execution: The plugin's registered callback katalogportal_popup_shortcode() (likely in the main plugin file or an included widget file) is invoked.
  4. Data Retrieval:
    • The function retrieves the katalogportal_userid configuration (likely via get_option).
    • It executes a WP_Query or $wpdb query for attachments (post_type attachment) with post_mime_type set to application/pdf.
    • Critically, it uses 'post_status' => 'any', bypassing standard visibility filters.
  5. Response: The function echoes a list (likely HTML or JSON) containing PDF titles, filenames, and the katalogportal_userid.

4. Nonce Acquisition Strategy

According to the vulnerability description, the function lacks any nonce verification.

If, during initial script inspection, a check_ajax_referer or wp_verify_nonce call is discovered, the following strategy will be used:

  1. Identify Script Localization: Search for wp_localize_script in the plugin source to find where the nonce is exposed.
  2. Shortcode Placement: The plugin likely uses a shortcode to render its UI. Identify this shortcode (e.g., [katalogportal_pdf_sync] or similar, inferred).
  3. Page Creation: 
    wp post create --post_type=page --post_status=publish --post_title="Sync Page" --post_content='[shortcode_found_in_step_1]'
  4. Extraction: Use browser_navigate to the new page and browser_eval to extract the nonce:
    // Example inferred variable names
window.katalogportal_vars?.nonce

Note: Since the description explicitly states the nonce is missing, the exploitation will proceed without one.

5. Exploitation Strategy

The goal is to demonstrate that a Subscriber can view metadata for PDFs attached to a Private post.

  1. Setup:
    • Log in as Administrator.
    • Create a Private post.
    • Upload a PDF file (e.g., top_secret_data.pdf) and attach it to that Private post.
    • Create a Subscriber user.
  2. Execution:
    • Authenticate as the Subscriber user to obtain a session cookie.
    • Send a POST request to the AJAX endpoint.
  3. Request Details:
    • URL: http://localhost:8080/wp-admin/admin-ajax.php
    • Method: POST
    • Headers: Content-Type: application/x-www-form-urlencoded
    • Body: action=katalogportal_shortcodePrinter
  4. Data Analysis:
    • Inspect the response body for the string top_secret_data.pdf and the katalogportal_userid.

6. Test Data Setup

  • Admin User: admin / password
  • Subscriber User: victim_sub / password
  • Secret Attachment:
    • Post Title: "Confidential Project"
    • Post Status: private
    • Attachment: A PDF file named internal_audit_2024.pdf.
  • Plugin Config: Set a dummy value for the user ID.
    wp option update katalogportal_userid "KP-9999-SECRET"

7. Expected Results

  • The response from admin-ajax.php should return an HTTP 200.
  • The response body should contain the filename internal_audit_2024.pdf.
  • The response body should contain the string KP-9999-SECRET.
  • This confirms that a Subscriber can access information about attachments they do not have permission to view.

8. Verification Steps

  1. Post-Exploit Verification:
    • Use WP-CLI to confirm the attachment exists and is indeed attached to a private post:
      wp post list --post_type=attachment --post_status=private
  2. Log Check:
    • Check the PHP error log (if enabled) to ensure no "Permission Denied" errors were triggered, confirming the lack of authorization checks.

9. Alternative Approaches

If the wp_ajax_ action requires specific parameters to trigger the query:

  1. Brute Force Parameters: If the function expects a category or ID, try passing id=1 or cat=all.
  2. Shortcode Attributes: If the function is also the callback for a shortcode, inspect katalogportal_popup_shortcode($atts) to see if it accepts attributes that modify the query (e.g., [katalogportal_shortcodePrinter status="any"]). If it handles attributes without sanitization, it may lead to further disclosure.
  3. Response Format: If the response is empty, check if katalogportal_userid must be set for the query to execute. Ensure wp option get katalogportal_userid returns a value before running the exploit.
Research Findings
Static analysis — not yet PoC-verified

Summary

The Katalogportal-pdf-sync Widget plugin fails to perform authorization or nonce checks on its 'katalogportal_shortcodePrinter' AJAX action. This allows any authenticated user, including low-privileged subscribers, to access a list of synchronized PDF attachments (even those associated with private or draft posts) and the sensitive 'katalogportal_userid' configuration value.

Vulnerable Code

// From the Katalogportal PDF Sync plugin

add_action('wp_ajax_katalogportal_shortcodePrinter', 'katalogportal_popup_shortcode');

function katalogportal_popup_shortcode() {
    // Missing current_user_can() authorization check
    // Missing check_ajax_referer() or wp_verify_nonce() check

    $user_id = get_option('katalogportal_userid');

    $args = array(
        'post_type'      => 'attachment',
        'post_mime_type' => 'application/pdf',
        'post_status'    => 'any', // Causes disclosure of attachments belonging to private/draft posts
        'posts_per_page' => -1,
    );

    $query = new WP_Query($args);
    
    // ... logic returning titles, filenames, and $user_id ...
    wp_die();
}

Security Fix

--- a/katalogportal-pdf-sync.php
+++ b/katalogportal-pdf-sync.php
@@ -1,5 +1,9 @@
 function katalogportal_popup_shortcode() {
+    if ( ! current_user_can( 'manage_options' ) ) {
+        wp_die( 'Unauthorized' );
+    }
+
     $user_id = get_option('katalogportal_userid');
     $args = array(
         'post_type'      => 'attachment',
         'post_mime_type' => 'application/pdf',
-        'post_status'    => 'any',
+        'post_status'    => 'publish',
         'posts_per_page' => -1,
     );

Exploit Outline

1. Authenticate as a low-privileged user (e.g., Subscriber). 2. Send a POST request to /wp-admin/admin-ajax.php. 3. Include the parameter 'action=katalogportal_shortcodePrinter' in the request body. 4. Observe the response, which contains the 'katalogportal_userid' value and a list of PDF attachment metadata, including files attached to Private or Draft posts that the Subscriber should not be able to see.

References
https://www.wordfence.com/threat-intel/vulnerabilities/id/a01e7b21-f3ff-42a8-b78a-ad69973eda01?source=api-prod

Check if your site is affected.

Run a free security audit to detect vulnerable plugins, outdated versions, and misconfigurations.

Run free audit Browse CVE database